top of page
Writer's pictureAnand P

Configuring User Enrollment with Company Portal in Intune

Updated: Oct 15

Newly enrolled devices are not supported for this enrollment profile type by Microsoft Intune. This article is specifically relevant to existing devices that have this profile type. Microsoft suggests using Account-driven User Enrollment for new enrollments.

In a previous blog post, I covered the various types of enrollment available for iOS/ipadOS devices in Intune. If you haven't read that post yet, I recommend checking it out to gain a better understanding of Different types of iOS/iPadOS Enrollment In Intune. In this blog post, I will explain how to configure user enrollment using the company portal and provide an overview of the end-user enrollment experience.


I have written a blog that explains Account-driven User Enrollment in Intune both enrollment types are almost similar but only differ in the enrollment method


What is user enrollment with the company portal?


It is more of a streamlined enrollment process that provides admins with a subset of device management options. With user enrollment, a managed Apple ID (federated) is created on the device, and the managed Apple ID can be used in conjunction with the user's personal Apple ID. On the device, a separate volume is created containing Apps, Notes, Calendar attachments, mail attachments, keychain items, etc.


This enrollment generally creates containers or partitions for Work and Personal data that help admins secure work-related information. Work-related data can only be managed in a work container or partition, and the same applies to personal profiles. Admins can only manage Organization accounts, settings, and information provisioned with Intune. The information and settings related to a person's account cannot be managed. This protects corporate data in apps managed by the organization.


Table Of Content

Prerequisites for user enrollment with company profile.



To use Apple User Enrollment, you need to generate and give managed Apple IDs to the enrolling users. If federated authentication is enabled by linking Apple Business Manager with Microsoft Entra ID, there is no need to create and provide individual Apple IDs for each user. Instead, a device user can access their apps using the same login credentials as their work account.

Steps to Configure User Enrollment With Company Portal


Step1: Login to Microsoft Intune admin center https://intune.microsoft.com navigate to Devices and select iOS/iPadOS



Step 2: Select iOS/iPadOS enrollment and select enrollment types.



Step 3: Tap on Create Profile and select iOS/iPadOS to create an enrollment-type profile.



Step 4: Enter the name for the enrollment type as required and the description if needed ( for demonstration purposes I had only entered a name for the profile as it is mandatory ) and tap on Next to continue



Step 5: Select user enrollment with the company portal and tap Next


Step 6: Select a group or all users as required, in this example, I will be using a group, tap Select to add the group or users and tap Next to continue



Step 7: Verify the settings and select Create to complete the profile creation.



Now the profile is created

Let's see the end-user experience


Download Intune Company Portal and Microsoft Authenticator from the App Store, enter your user principal name or email address, and tap on Next, this will sign in to your account to the company portal which will take you through other steps like multifactor authentication or the IDP settings by the organization.


Once the user signs in to the company portal, the device will start the enrollment process tap on Begin to start the enrollment, for user enrollment with the company portal you need the Microsoft Authenticator app as a pre-requites if the app is already available this will register the account if not the page will take you to download the app. Once Microsoft Authenticator is downloaded you can see the Install Microsoft Authenticator check box is green tap on Continue



Next, it will take you to Review privacy information On this page you can see the Can't and Can options which will help the user understand what the organization can see and can't see, tap on continue the enrollment


Tap on Continue to start the download of the Management profile, to start the download tap on Allow, to complete the installation of the profile navigate to settings on your iOS/iPadOS, Select Enroll in "Your Organization's Name" and enter the device passcode to continue the enrollment


Now you can see the Organization name and Apple ID (which will be your manage Apple Managed ID), tap on Enroll My iPad ( since I am enrolling an iPad it is showing as iPad, this will be different according to the device that you are enrolling ) this will take you through the sign-in page and if multifactor authentication is enabled that as well once sign-in is completed tap on Continue.


You can see the management profile details from the device settings by navigating back to the company portal app



You can see the device is ready and tap on Done to complete the enrollment process



The data separation is created upon the completion of enrollment, apple will create separate encryption keys for user and work data, and the encryption keys are securely destroyed once the device is unenrolled by the user or retired by the admin. You can see the data separation for iCloud, notes, and reminders and the same applies to other applications as well.



On the admin end, they can only manage organizational data remotely as options like wipe are grayed out. These types of enrolled devices can only be retired.



How to Remove the Management Profile


Users can remove the management profile by tapping the Remove Management Option, the user needs to provide the device passcode tap on Done, and tap on Remove all the applications and data associated which is almost the Retire option.



Conclusion

This blog post will provide you with a clear and concise set of instructions on how to enroll iOS/iPad OS devices using the User Enrollment method with the Company Portal Enrollment type.



793 views0 comments

Recent Posts

See All
2023-02-01_17-26-41.jpg
About Me

Thank you for taking the time to visit my website. My name is Anand P, and I work as a Senior Engineer in IT. This blog is dedicated to providing articles on various Microsoft technologies such as Intune, Azure AD, Microsoft Defender for Endpoint, Azure, EMS, M365, Security, and more. Most of the content on this blog is based on the solutions and issues I encounter in my everyday work, and I use this platform as a technical notebook to keep track of my findings. Please note that any views expressed in my posts on this site are solely my own. Also, any code, scripts, demos, or examples provided in the blog posts are only for illustration. I hope you find my blog posts informative and useful.

Never Miss a Post. Subscribe Now!

Thanks for submitting!

  • LinkedIn
  • YouTube

Copyright © 2024 by Cloud Tek Space.

bottom of page